Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop won't start up


  • This topic is locked This topic is locked
40 replies to this topic

#1 The Duchess

The Duchess

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 10 March 2012 - 09:48 PM

I have a Toshiba Satellite laptop with windows 7. Last week it randomly shut down on my boyfriend but it restarted for him. Last night I was on the laptop and had windows explorer open and it closed the window and shut the computer off. Now it won't start. When you turn it on you get the Toshiba screen then it goes to a blank black screen with the cursor on the top left. I have tried the safe mode and it won't start in safe mode either. I can hit F12 and get the boot manager and F2 to get the Setup Utility. Other than that it won't do anything.

Thanks

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:42 AM

Posted 12 March 2012 - 01:58 AM

The events that you describe, including the "blank black screen with a blinking cursor in the upper left corner of the screen" indicate a likely malware infection, namely an infection of the MBR (MasterBootRecord).

Let's have a look at the MBR.

Please try the following: You will need a USB drive/flashdrive and a new blank writable CD.

:step1: Please do the following on a working computer:
  • Download GETxPUD.exe to the Desktop.
  • Run GETxPUD.exe
    A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished will open BurnCDCC ready to burn the image.
    Please be patient: This could take awhile - download file size 63MB.
  • Click on Start and follow the prompts to burn the image to a CD.
You will use this CD to boot the ailing computer from.


:step2: Boot the ailing computer with the xPUD CD.
  • (You may have to configure the Boot Menu or BIOS Setup Menu to boot first from the optical/CD/DVD drive.)
    A Welcome to xPUD screen will appear.
  • Click on File.
  • Expand the mnt icon on the left (click on the little arrow beside the icon).
    • sda1, sda2 etc. ...usually correspond to your HDD partitions
    • sdb1, sdc1 is likely to correspond to a USB flashdrive, external USB hard drive etc.
  • Click on the folder that represents your USB drive (sdb1 ?).
  • Click Tool on the top menu, and choose Open Terminal.
  • Type the following at the hash prompt:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

    • Note: Leave a space between the following:
      • dd ... the executable application used to create the backup
      • if=/dev/sda ... the device the backup is created from (the hard drive when only one HDD exists)
      • of=mbr.bin ... the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
      • bs=512 ... the number of bytes in the backup
      • count=1 ... says to backup just 1 sector
        It is extremely important that the if and of statements are correctly entered.
  • Press the <ENTER> key.
    After it has finished a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive from the ailing computer.

:step3: On the working computer:
  • Insert the USB drive, and navigate to the file mbr.bin
  • Zip-up the mbr.bin file:
    • Right-click on the file and choose Send to .. > Compressed (zipped) Folder.
      A zipped folder will appear in the same location as the mbr.bin file.
  • Please attach the zipped file to your next reply.
    This will allow the MasterBootRecord of your drive to be checked to see whether or not it is infected.

Edited by AustrAlien, 12 March 2012 - 01:59 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Nephilim1955

Nephilim1955

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:42 AM

Posted 12 March 2012 - 02:29 AM

I have a Toshiba Satellite laptop with windows 7. Last week it randomly shut down on my boyfriend but it restarted for him. Last night I was on the laptop and had windows explorer open and it closed the window and shut the computer off. Now it won't start. When you turn it on you get the Toshiba screen then it goes to a blank black screen with the cursor on the top left. I have tried the safe mode and it won't start in safe mode either. I can hit F12 and get the boot manager and F2 to get the Setup Utility. Other than that it won't do anything.

Thanks


If you have a Windows Recovery CD, you can do a System Recovery (return your laptop to factory state). Put the recovery CD in the CD/DVD drive. Reboot the machine, and start taping on the ESC key. Once you get to this screen use the keyboard arrows to select your CD/DVD drive and hit Enter. Doing this will change the first boot order to the CD/DVD drive. Reboot the machine to start System Recovery. Return to the forum if you need further assistance. :busy:

Edited by hamluis, 12 March 2012 - 08:57 AM.


#4 Artrooks

Artrooks

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:42 PM

Posted 12 March 2012 - 07:57 AM

Follow AustrAlien's post (#2). You are in good hands.

Regards,
Brooks



 


#5 The Duchess

The Duchess
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 12 March 2012 - 11:43 PM

I think I did it. File is attached.

Thanks!

The Duchess

Attached Files

  • Attached File  mbr.zip   584bytes   7 downloads


#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:42 AM

Posted 13 March 2012 - 12:32 AM

Thanks: You did well!

The MBR is infected.
virustotal result:
  • MBR infected Rootkit.Boot.Pihar.b (Kaspersky)
Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:42 PM

Posted 13 March 2012 - 12:50 AM

Download xPUD_MBRfix and save it in the USB drive.

  • Boot the ailing computer to xPUD
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Double click on xPUD_MBRfix to execute the script and wait.
  • If asked, select sda as the disk and Windows 7.
  • Upon finishes, its actions will produce a report (mlog.txt) in the USB drive
  • Post that report in your next reply
Boot in Normal Mode. If able to do so, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 The Duchess

The Duchess
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 13 March 2012 - 03:37 PM

Download xPUD_MBRfix and save it in the USB drive.

I was unable to download this link. When I click on it I get a new window that opens and has a bunch of strange text on it. The only way to save it is as text so I did that and tried to execute it like you said but it did nothing.

Did I do it wrong or is the link incorrect?

Thanks,

Duchess

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:42 PM

Posted 13 March 2012 - 05:39 PM

Right click on the link and select "Save target as" or "Save link as" in the case of Firefox, browse to the USB drive and save.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 The Duchess

The Duchess
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 14 March 2012 - 01:59 AM

First part went good. The log is below. The combo fix didn't go so well. It never seem to come to an end. It would stop on 'complete stage 4' and not seem to do anything more. The first time I ran it I didn't touch it for 2 hours and it never changed. I tried to rerun it multiple times (once as administrator) and it never moved past stage 4. It never would create a log after stage 4 was completed.

Thanks,

Duchess


Tue Mar 13 18:57:02 UTC 2012

User has chosen Windows 7 boot code
User has chosen drive sda
Backing up mbr to backup_sda.bin

Boot code structure before fix
/dev/sda has an x86 boot sector,
it is an unknown boot record

Boot code structure after repairing
/dev/sda has an x86 boot sector,it is a Microsoft 7 master boot record, like the one this
program creates with the switch -7 on a hard disk device.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:42 PM

Posted 14 March 2012 - 01:41 PM

Open an administrator command prompt. Click on the Start Orb, type CMD, right click on the CMD.exe file on top of the Start Menu and select "Run as an administrator". At the prompt copy and paste the following command and press Enter.

bcdedit /enum all /v >"%userprofile%"\desktop\bcd.txt

Type Exit and press Enter to return to Windows.

A report (bcd.txt) will be written on your desktop. Post its contents in your next reply.

Please download and run Rkill by Grinler from any of the following locations (Vista and Win7: to run the application, right click on Rkill and choose Run as an Administrator):

Then,

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Edited by JSntgRvr, 14 March 2012 - 01:44 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 The Duchess

The Duchess
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 15 March 2012 - 01:02 PM

I got everything to work. The Malewarebytes quick scan took 14 hours. That is unusual. I have malewarebytes on my computer and run it and it doesn't usually take that long. There were to reports logged for malewarebytes so I posted both of them.


BCD Text

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {78e1eeee-e797-11de-ae69-93ed5165826f}
resumeobject {78e1eeed-e797-11de-ae69-93ed5165826f}
displayorder {78e1eeee-e797-11de-ae69-93ed5165826f}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {78e1eeee-e797-11de-ae69-93ed5165826f}
device partition=C:
path \windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {78e1eeef-e797-11de-ae69-93ed5165826f}
recoveryenabled Yes
osdevice partition=C:
systemroot \windows
resumeobject {78e1eeed-e797-11de-ae69-93ed5165826f}
nx OptIn

Windows Boot Loader
-------------------
identifier {78e1eeef-e797-11de-ae69-93ed5165826f}
device ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{78e1eef0-e797-11de-ae69-93ed5165826f}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{78e1eef0-e797-11de-ae69-93ed5165826f}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {78e1eeed-e797-11de-ae69-93ed5165826f}
device partition=C:
path \windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {78e1eef0-e797-11de-ae69-93ed5165826f}
description Ramdisk Options
ramdisksdidevice partition=\Device\HarddiskVolume1
ramdisksdipath \Recovery\WindowsRE\boot.sdi




Malewarebytes report 1

Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.03.14.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Duchess Lana :: DUCHESSLANA-PC [administrator]

Protection: Enabled

3/14/2012 2:48:21 PM
mbam-log-2012-03-14 (14-48-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1806842
Time elapsed: 14 hour(s), 30 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Backdoor.Agent) -> Data: C:\Users\Duchess Lana\AppData\Local\9ed2ff13\X -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Duchess Lana\Local Settings\Temporary Internet Files\Content.IE5\SPLFNV13\Player[1].exe (PUP.BundleInstaller.VG) -> Quarantined and deleted successfully.

(end)


Thanks,

Duchess

#13 The Duchess

The Duchess
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 15 March 2012 - 01:06 PM

The other report was so long that this post wouldn't take it. Do you want me to post it in sections or did I post the right one?

Thanks,

Duchess

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:42 PM

Posted 15 March 2012 - 02:39 PM

You can upload that report here.

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

ESET online scannner


Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 The Duchess

The Duchess
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 15 March 2012 - 07:30 PM

Both scans froze before complete. The old timer scan would start then freeze before it would complete then I would get a message that the program was not responding. Tried the the old timer multiple times with the same thing happening.

The eset scan would make it to 92% then not do anything. I tried this one twice and let run for 2 hours each time it was stuck at 92% for at least an hour before I stopped it. The results that I did get for the eset scan are below.




C:\ProgramData\Microsoft\Windows\DRM\86DB.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Microsoft\Windows\DRM\86DC.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Microsoft\Windows\DRM\86DB.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Microsoft\Windows\DRM\86DC.tmp Win64/Olmarik.AD trojan
C:\Users\Duchess Lana\AppData\Local\9ed2ff13\X Win64/Sirefef.I trojan
C:\Users\Duchess Lana\AppData\Local\9ed2ff13\U\800000cf.@ Win64/Sirefef.U trojan
C:\Users\Duchess Lana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\38BSN4WU\news[1].htm JS/Kryptik.ES trojan
C:\Users\Duchess Lana\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9B2CO2O0\stream[1].htm HTML/Iframe.B.Gen virus




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users